Encrypted files on Sandblast agent

Hi

Please, I need to understand whats happen in Sand Blast Agent with encrypted files protected by a password.

I suppose:

1) Encrypted file are considered malicious and not sent to the user.

2) Encrypted file are opened in Threat emulation, but before the emulation is necessary that the receiver user know the password to open the file. Is necessary to put this password in the configuration of the Sanblast agent or in the configuration of the Threat Emulator to open the file during the threat emulation operation.

Re: Encrypted files on Sandblast agent

Support for encrypted archives exist (by scanning the subject or body of email).

Support for password protected documents (technically encrypted with a password) does not and this is where CP should focus.

TE cannot break the password or encryption but once the file is delivered to the endpoint client and the user enters the password, the behaviour of the file should be analysed from the SandBlast Agent. At this point it doesn't.

Re: Encrypted files on Sandblast agent

In regards to SK112821 yes, you need to supply those interesting words before the emulation. One practice is to have a predefined password set for your communications. This is an issue on management but a workable solution.

Unfortunately once a file/archive is password protected/encrypted there are not many options to analyse the content.